---
layout: docs
page_title: Syslog - Audit Devices
description: The "syslog" audit device writes audit logs to syslog.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# Syslog audit device

The `syslog` audit device writes audit logs to syslog.

It currently does not support a configurable syslog destination, and always
sends to the local agent. This device is only supported on Unix systems,
and should not be enabled if any standby Vault instances do not support it.

~> **Warning**: Audit messages generated for some operations can be quite
large, and can be larger than a [maximum-size single UDP
packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
backend and having syslog configured to read entries from the file; or, enable
both `file` and `syslog` so that a failure for a particular message to log
directly to `syslog` will not result in Vault being blocked.

## Examples

Audit `syslog` device can be enabled by the following command:

```shell-session
$ vault audit enable syslog
```

Supply configuration parameters via K=V pairs:

```shell-session
$ vault audit enable syslog tag="vault" facility="AUTH"
```

## Configuration

The `syslog` audit device supports the common configuration options documented on
the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and
these device-specific options:

- `facility` `(string: "AUTH")` - The syslog facility to use.

- `tag` `(string: "vault")` - The syslog tag to use.


## Notes

If the items written to the syslog audit device are larger than the syslog host's configured maximum socket
send buffer, then Vault will log an error such as this example:

```
[ERROR] audit: backend failed to log response:  backend=syslog/ error=write unixgram ->/var/run/log: write: message too long
[ERROR] core: failed to audit response: request_path=pki/certs/ error=1 error occurred:
* no audit backend succeeded in logging the response
```

To remediate this, consult the [Linux Programmer's Manual manual page for socket(7)] (https://man7.org/linux/man-pages/man7/socket.7.html) to
increase socket send buffer size.
